Latest Crypto related questions

Here is the fixed script

# Generator point coordinates
x=55066263022277343669578718895168534326250603453777594175500187360389116729240
y=32670510020758816978083085130507043184471273380659243275938904335757337482424
# Order
n=115792089237316195423570985008687907853269984665640564039457584007908834671663
# from the curve equation y^2=x^3+7
should_be_zero= (y**2)-(x**3+7)
print("by applying the equati ...

Are there any automated security protocol verification tools that model algebraic operations; specifically addition. I am familiar with AVISPA and Verifpal, and they are both great and user-friendly tools, but they do not support addition operation.

Please help

TL;DR: My simple ChaCha-based sponge PRNG is getting "unusual" evaluation from PractRand test battery pretty reliably, sometimes even within the first GB; I'm trying understand why.

I was in need of a fast, non-cryptographic PRNG, preferably one without a bloated state, or one that would use a portion of its internal state as the output buffer. One of my initial ideas was to use a low-round count Ch ...

The Wikipedia page for BLS digital signature describes a scheme with only two groups, $G$ and $G_T$, and a bilinear pairing $e: G \times G \rightarrow G_T$. To the best of my understanding, in such a scheme both public keys and signatures would belong to the same group $G$, signature verification being performed by comparing elements of $G_T$.

Looking around for real-world implementations of BLS, s ...

Can we devise an attack on AES or DES (ECB mode) if we know just the distribution for the plaintext? For example, it is a English plain text -- we know what that would look like and the relative frequencies of letters, bigrams, and trigrams?

Has anyone come across such type of attacks, it is a advanced version of known-plaintext attack. Most of the known-plaintext attack use uniformly distributed ...

I was reading the Wikipedia page for scrypt because I wanted to learn more about it and I came across their pseudocode for the algorithm. What confused me was the following line:

I don't understand why having (what I assume to be) an output length of 32 bytes would make it in any way associated with SHA-256. Yes, they would have the same output size but why does it associate it with it in any other ...

I've got a scheme where I XOR a secret key value with a public (but random) value, XOR together all the bits of the result, and publish that bit (0 or 1), which is the parity of the result of the XOR. My goal is for this published bit to be hard to predict, for a given public value, before it is published.

I'm certain that this will leak information about the key: I'm doing XOR with a static key  ...

I want to build something where web clients encrypt some data server side and store it with me. However, I am not sure how to manage the user keys - ideally they can just sign in with social to access my web app. I don’t want the user to have to lose their keys if they say lose their computer.

What are the best ways to create client side encryption keys for a user if they have access to a socia ...

I'm writing a school paper about Blowfish encryption, and couldn't seem to find out if the size of the subkey array for Blowfish changes based on the length of the key. I would assume that it doesn't effect the size of the subkey array but I'm relatively new to Blowfish encryption.

I am curious what is an attack that the RSA Key Exchange algorithm is vulnerable to that Diffie Hellman Key Exchange is not vulnerable to? I know Diffie Hellman is prone to Man in the Middle attacks but when performing key exchange with RSA, is it also susceptible to some attacks that Diffie Hellman is not to?

I'm trying to formalize the following protocol in $\mathsf{ProVerif}$, where $m$, $p$ are messages, $j$, $k$, $h$ are private keys, and $\{m\}_k$ is the ciphertext obtained by encrypting $m$ with $k$. Furthermore, $f$ and $g$ are functions whose result does not reveal any information about any of the two arguments. I also want to prove that no adversary not knowing $j$, $k$ or $h$ is capable of dete ...

The original description of the MD5 algorithm initializes the values of A, B, C, and D to the following:

word A: 01 23 45 67
word B: 89 ab cd ef
word C: fe dc ba 98
word D: 76 54 32 10

How were the values determined and does it matter how they were chosen?

When we consider a group generation algorithm $\mathcal{G}$ (taken from Katz and Lindell's Introduction to Modern Cryptography), that takes as input a security parameter $1^n$ and outputs $(\mathbb{Z}_n, n, g)$, where $\mathbb{Z}_n$ is an additive group, can we say that the DDH, CDH, and discrete logarithm assumptions hold?

On the other hand, if they don't hold for any $g$, which conditions do we  ...

Why are credit cards using 3DES instead of AES? As far I understood, even DES3 is less secure than AES. Why it is still used?

I searched already in the internet and forum to check out if it is meanwhile AES (and the information from my lecture may be just old) but I didn't find any clue for that.

I'm implementing impossible differential cryptanalysis on 3.5 round IDEA using the methods in "Miss in the middle attack on IDEA and Khufu" paper.

In the first step, I need to provide $2^{32}$ pairs that are identical in $X_2$ and $X_4$ and have all the possibilities in $X_1$ and $X_3$ to start the cryptanalysis.

So I've tried to collect the text for various books to provide the first plaintext and  ...

I have been asked to make a HMAC-SHA256 password digest from:

• a password
• some salt, and
• an 80-bit secret key.

I've been advised that I should be using a key of 256 bits or more for HMAC-256.

The key I have is only 80 bits.

Is there any value in using sha256(key80bit) as the key for HMAC-SHA256, as it will not increase the entropy?

Are other KDFs or key-stretching algorithms preferable?

Several years ago, there was an unenforced constraint on verification in the cirmcomlib library : a tool for building projects using ZsNarks. The error allowed to forge cryptographic nullifiers/proofs without having a prior commitment. Tornado Cash, using Groth16 was the most well‑known affected case : the protocol had to be safely exploited in order to avoid loss of funds.

On the blog post, there we ...

I want to accredit members so they can pseudonymously give feedback while still being provably part of a group, without a way to give extra accreditations.

Suppose a group of 100 members (I decide and make public who these members are) want to bit by bit create 100 accounts such that nobody knows which member created which account but without a way of ending up with multiple accounts controlled b ...

I wondered whether my understanding of entropy is correct, that a 256-bit counter that starts at 0 and counts to 2^256 - 1 by a +1 increment has a 256-bit entropy. I am asking this because I felt it awkward that for RNGs, developers often only specify an entropy.

So is it correct that a non-repeating 256-bit counter has 256-bits of entropy, because the numbers are equally distributed in their appe ...

I wish to encrypt an image using Logistic map. A Logistic map can be specified with the Equation:

$$x_{n+1} = r\,x_n (1-x_n).$$

Now, according to the Kerckhoff principle, the entire system's security is dependent on the key. Perfect chaos can be achieved with a fixed control parameter ($r$) and initial condition ($x_0$). How can the authors identify the initial conditions ($x_0$) and control parameter(

This is with reference to Eddie Woo's video on RSA. He uses the prime numbers '2' and '7' to make the product, n=14. He chooses the public key to be '5', the only possibility. However, many numbers meet the criteria to be the private key, where (5 * private key mod 14) = 1. To name a few, the numbers include 5,11,17. Eddie Woo chooses 11 to be his decryption key.

However, I realised that applying ...

I've seen (on Wikipedia) in the more recent version of TLS, the Counter-mode was not used. But the Galois-Counter-mode was used?

What is the advantage to use the GCM instead of using the Counter-mode?

What is the best known attack on the stream cipher Trivium?

And is there is any good reason to not use it?

By googling the good key words, I've found this paper, but I'm not enough expert to judge the relevancy of this paper.

I am currently developing the back end of a website for one my projects and needed to store passwords. I knew that I needed to store passwords with salt, and my initial approach was to just generate the salt and append it to the password. However, to check that I wasn't being stupid I looked it up and saw a multitude of functions built into Node.js (the framework I'm using) to incorporate salt into has ...

When i list down the curves using openssl ecpram -list_curves where in which I didn't see any curve named FRP256v1. Does openssl actually supports FRP256v1? If so can you please let me know the version in which the support for this curve exists? The openssl version where in which I checked this is OpenSSL 1.1.1 11 Sep 2018.

When the last n bytes of the plaintext are themselves suitably random, but predictably repeat m times in the same message - how bad is that? I'm convinced it is detrimental, but I am uncertain how detrimental exactly.

Edit: assume a Padding Oracle to be available.

NB: I'm not asking about the same overall plaintext sent multiple times.

I was looking into several know attacks, but couldn't come up with a c ...

I asked OpenSSL to generate a dummy Ed25519 private key for me and got this output:

https://lapo.it/asn1js/#MC4CAQAwBQYDK2VwBCIEIJCO9eKZEUOmL9CGfecuKqvYU_hLTAFXwl0Ipd8xNXbP

It decodes to the following:

SEQUENCE (3 elem)
  INTEGER 0
  SEQUENCE (1 elem)
    OBJECT IDENTIFIER 1.3.101.112 curveEd25519 (EdDSA 25519 signature algorithm)
  OCTET STRING (34 byte) 0420908EF5E2991143A62FD0867DE72E2AABD853F84B ...

What is the best progress (i.e. most bits) in crafting messages with a chosen hash image for modern hash functions?

Blockchain networks with proof of work are basically brute force machines for pre-image attack on keccak with a target image of 0x000.000.

So I was looking for some idea of what the "best hash" ever found was.

I am currently writing a seminar paper on Kyber and other lattice-based methods. I was so excited about the lattice-based methods that I also currently searched quantum algorithms to solve the methods.

In the process, I came across this paper: https://www.mdpi.com/1099-4300/24/10/1428/pdf, called "Using Variational Quantum Algorithm to Solve the LWE Problem." by Lihui Lv et. al. There, the authors claim  ...

Hi I am watching this slide about threshold signature: http://cyber.biu.ac.il/wp-content/uploads/2021/11/Threshold_Sinature_Schemes_Rosario_Gennaro.pdf
And in page 39 it said that the homomorphic property of Paillier is based on the message is small, that if the mod n is taken, the homomorphic property breaks.
I am trying to understand this, could anyone provide some help? I would truly appreciate it. ...